Verified Commit e5898b3d authored by David Beniamine's avatar David Beniamine
Browse files

Cleaner management of clock skew

parent ad099dc7
......@@ -6,7 +6,8 @@ PHPMYADMIN_PORT=8001
# Labnbook
i18n=true
TOKEN_TTL=2
TOKEN_TTL=1800
TOKEN_LEEWAY=20
LOCKER_VALIDITY=61
REFRESH_PERIOD=30
CSRF_LEVEL=log
......
......@@ -27,9 +27,13 @@ class JWTServer
/** @var int ttl seconds */
private $ttl;
/** @var int leeway seconds (clock skew)*/
private $leeway;
public function __construct(){
$this->ttl = config('labnbook.token_ttl', 600);
$this->leeway = config('labnbook.token_leeway', 20);
}
/**
......@@ -136,18 +140,15 @@ class JWTServer
json_encode(array_keys($missings)));
}
// Validate claims iat, nbf and exp
$data = new ValidationData();
$now =\Carbon\Carbon::now()->getTimestamp();
// Validate claims iat, nbf and exp with a leeway to handle clock skew
$data = new ValidationData($now, $this->leeway);
// Checkh that token is not expired
$expireTms =\Carbon\Carbon::now()->addSeconds($this->ttl)->getTimestamp();
if ($jwt->getClaim('iat') > $expireTms) {
$expireTms = \Carbon\Carbon::createFromTimestamp($jwt->getClaim('iat'))->addSeconds($this->ttl)->getTimestamp();
if ($now > $expireTms) {
throw new JWTException('Token expired');
}
// Token is not expired, we set the validation date to the remote server date to avoid errors due to clock skew
$data->setCurrentTime($jwt->getClaim('iat'));
// Check timestamps are coherent
if (!$jwt->validate($data)){
throw new JWTException('Cannot validate token data');
......
......@@ -14,6 +14,7 @@ return [
"separator" => "-|-", // séparateur des attributs pour les traces
'i18n' => env('i18n', true),
"token_ttl" => env('TOKEN_TTL', 1800),
"token_leeway" => env('TOKEN_LEEWAY', 20),
"csrf_level" => env('CSRF_LEVEL', 'log'),
"ips" => explode(',', env('IPS')),
"maintenance" => env('MAINTENANCE_MESSAGE'),
......
......@@ -58,12 +58,18 @@ class JwtUnauthorizedCest
$payload = [
'sub' => $I->id_teach_ext,
'dest' => "$I->prefix/auth/login",
'iat' => \Carbon\Carbon::now()->addSeconds(20)->getTimestamp(),
'iat' => \Carbon\Carbon::now()->subSeconds(30)->getTimestamp(),
'iss' => $I->id_inst+1,
'orig' => 'inst',
];
$I->send('auth/login', 'POST', $payload, $I->key, false);
$I->expectError('Token expired', HttpCode::UNAUTHORIZED);
$payload['iat'] = \Carbon\Carbon::now()->addSeconds(30)->getTimestamp();
$I->send('auth/login', 'POST', $payload, $I->key, false);
$I->expectError('Cannot validate token data', HttpCode::UNAUTHORIZED);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment